It’s 10 p.m.: Do you know where your applications are?

Kara Sprague Miniatur
Kara Sprague
Published July 23, 2019

It’s not even a question anymore: Every company is now a software company with a digital mandate. Applications are firmly established as the primary vehicle through which companies develop and deliver goods and services. They have become the most important asset of the modern enterprise, especially for those digital natives: the Lyfts, LinkedIns, and WhatsApps of the world.

Welcome to the age of application capital.

Today a company’s application portfolio can be worth billions, and apps are found wherever work is done—conferencing equipment, factory floors, thermostats, aquariums, you name it. And yet most companies only have an approximate sense of how many applications they actually have, where they’re running, or whether they’re under threat. Organizations worldwide have continually innovated, iterated, and built their application capital—without also building a cohesive organizational strategy for managing it.

Compounding this is the challenge of complexity. In our latest research, 90 percent of customers reported that they were using multiple clouds, averaging 2.5 per organization. More than half said they’re making decisions on where to host applications on a per-app basis. Larger companies could have hundreds—if not thousands—of permutations of applications, clouds and servers, and the support those applications receive might vary dramatically.

Why so different?

For most companies, application capital is poorly supervised at best and under serious threat at worst. But with so many apps spread far and wide, threats can come from almost anywhere, and the effects of a breach can be devastating for the organization.

A few years ago, the CEO of Target resigned after hackers stole millions of customer records from the company—the attackers had gained access to Target’s point-of-sale devices through an HVAC system. Just last year, a London-based casino lost its high-roller database after hackers got into their network through the digital thermometer in a lobby aquarium. These two seemingly innocuous entry points show the serious danger of free-range application portfolios. And yet I have not encountered a large organization that can report, with confidence, the number of applications they have in their portfolio.

In contrast, the way organizations manage physical and human capital has been a continual focus in business, refined over the course of decades. Companies like Airbus rely on a network of thousands of suppliers and precision timing across a worldwide supply chain to make one airplane. Airbus is also able to track and monitor the performance, usage, location, and health of each of its jet engines at any moment in time.

UPS has a similar level of sophistication when it comes to managing people. The company oversees a huge global delivery network that employs hundreds of thousands of workers, with such granular insight into their activities that it can prescribe how drivers should enter and exit their vehicles to maximize efficiency and minimize injury.

If we’re going to gain a toehold toward minimizing threats so we can maximize the value of the application ecosystem, organizations need to start investing the same energy and resources into their application capital as they do with physical assets and talent. The trick is how to apply the same rigor and discipline to the ephemeral nature of digital items.

Building an application strategy

To manage application capital effectively, companies need to start by establishing a companywide application strategy that sets policy and establishes a basis for compliance. The application strategy should address how applications in the enterprise portfolio are built, acquired, deployed, managed, secured, and retired. There are many ways to go about this, but we generally prescribe six distinct steps:

  1. Build an application inventory that includes the function and origin of every app, along with the data it consumes, services it communicates with, open-source or third-party components it contains, who has access to it, and who develops or maintains it.
  2. Assess the cyber risk for each application in terms of the relative cost or impact of a breach of the application itself or the identities associated with the application.
  3. Define application categories around the cyber risk associated with the applications, and assign minimum application service requirements for each.
  4. Identify the application services needed to support each of the application categories, such as web application firewalls, anti-DDoS, anti-bot, global availability, and load balancing services.
  5. Define parameters for application deployment and management for each application category, including deployment architectures, acceptable public cloud options and third-party services.
  6. Clarify roles and responsibilities around deployment, security, user access, third-party monitoring, and accounting for apps as they are added and removed.

The primary aim of an application strategy should be to enhance and secure all digital capabilities—even while the company continues to increase and expand those capabilities. The combination of these elements helps ensure that everyone is doing the right thing, accounting for and protecting all applications in the organization’s ecosystem while keeping the wheels of innovation turning.

One major difference between physical and digital assets makes this process all the more important: the ever-present threat landscape. Because applications extend beyond the company to the customers and partners who use them, effective stewardship of application capital is a business imperative.

This is an issue that is only getting more complex and challenging, so there is no better time to start. Learn more about how F5 can help.